Safeguard Q1 2026 Release Recap

Q1 2026 was the quarter Safeguard.sh stopped adding capabilities and started connecting the ones it already had. Three big threads ran through the quarter: closing the signed chain from source to runtime, making self-healing the default mode for low-risk findings, and shipping into environments that previously couldn't run us. This is the consolidated recap.

What shipped in Q1 2026?

Shipped

• Lino runtime attestations (January) — signed statements about what is actually running, closing the source-to-runtime chain.
• Self-healing workflows GA (January) — closed-loop remediation without a human in the loop, bounded by policy.
• Griffin + Eagle cache sharing (January) — content-addressable cache shared across engines.
• Runner fleet mode (January) — horizontally scalable, auto-coordinated self-hosted runner.
• Lino behavioral baselines (February) — per-service fingerprints and anomaly detection.
• Eagle base image advisories (February) — actionable suggestions instead of static verdicts.
• Griffin reachability for Rust (February, beta) — fifth language plus Rust in the reachability model.
• Desktop workflow editor (February) — visual editor backed by the same YAML workflows.
• Griffin taint tracking (March) — dataflow-aware triage on top of reachability.
• Eagle SBOM-driven advisories (March) — advisories across every component, not just the base image.
• Lino cross-service baselines (March) — peer comparison against cohorts.
• Runner air-gap installer (March) — single-binary provisioning for offline environments.

Improved

• 100-level scan picked up runtime health, Lino attestation checks, and taint-tracking sections in the report.
• Workflows gained on.attestation, parallel, barrier, cancel, and retry primitives.
• Gold started grouping findings into single PRs, respecting policy allowlists and deny lists, and writing a plain-language "why" paragraph for every PR.
• MCP server left beta (late Q4 2025), added streaming results (January), attestation tools (February), and policy tools (March).
• Desktop app added side-by-side verdicts, the workflow editor, and the attestation viewer.
• IDE extensions picked up inline Eagle advisories on FROM lines, inline taint verdicts, and Rust reachability.

Deprecated

• The legacy SARIF exporter is removed (January).
• The pre-3.0 runner reached EOL (end of March).
• sg remediate replaced by sg gold plan / sg gold apply (January).
• sg workflow validate deprecated (February); editor and engine validate live.
• sg attest export replaced by sg attestation export (March).

What is the signed chain from source to runtime?

Answer-first: three attestations, one chain. Griffin signs the source. Eagle signs the image. Lino signs the running workload. A verifier can walk the chain from a production pod back to the source commit that produced it.

Concretely:

• Griffin's source attestation binds a commit SHA to a scan verdict.
• Eagle's image attestation binds an image digest to a scan verdict and, transitively, to the source attestations for everything inside.
• Lino's runtime attestation binds a pod UID or invocation ID to an image digest and to observed runtime behavior.

Given a pod UID, Safeguard's admission controller can resolve the chain in about 300 ms, and a standalone verifier using the in-toto tooling can do it offline. The chain is what makes "we scanned this image" meaningful downstream — the thing running in production is cryptographically linked back to the code that was scanned.

Q1 was the quarter this chain became usable end to end. Before Q1 there was no Lino attestation. After Q1 there is a full chain in production.

How mature is self-healing, really?

Self-healing went GA in January and matured over the quarter. By end of March, it handles:

• Patch-level bumps for transitives when reachability is confirmed.
• Base image digest updates for unchanged Dockerfiles.
• .npmrc, .pypirc, and cargo config hygiene fixes.
• Lockfile resync when the lockfile has drifted from the manifest.
• FROM line updates that accept Eagle base image advisories.
• Drift repair when a deployed image no longer matches its source commit.

In our own monorepo, self-healing now handles about 65 percent of Gold's PRs without human intervention. The remaining 35 percent fall into three buckets: findings whose remediation would exceed the policy's version-bump ceiling, findings whose tests fail after the remediation, and findings that conflict with an in-flight PR. All three of those buckets land on a human reviewer with a Gold-authored summary.

The thing self-healing is not: it is not a substitute for your test suite. If your tests don't catch a regression, self-healing won't either. It is a substitute for the boring triage that otherwise eats your security team's week.

Where is taint tracking useful?

Taint tracking turns Griffin's reachability into a more useful triage signal. The combined reachability + taint verdict partitions findings into four buckets: unreachable, reachable with no taint, reachable with partial taint, reachable with full taint. The fourth bucket is the one worth paging on.

For teams running Griffin in CI with a paging workflow, this typically drops paging volume by an order of magnitude. The reduction is bigger for services with a lot of transitive dependencies (Node, JVM) and smaller for services that are mostly first-party code.

Taint tracking also changed how we think about false positives. The old definition — "a CVE that doesn't affect you" — becomes "a CVE where no attacker-controlled data can reach the vulnerable path." That's a stricter definition and more useful in practice.

What changed about where Safeguard can run?

Runner fleet mode in January and the air-gap installer in March brought Safeguard into environments it previously could not reach. The short version:

• Fleet mode lets you run the runner horizontally in your own Kubernetes cluster. Control plane replicas, shared cache, auto-scaling. Aimed at teams that want to own their scan infrastructure.
• The air-gap installer lets you run the full platform with no outbound access. Single binary installs, signed manifest of contents, sideloaded detector updates. Aimed at regulated environments.

A non-trivial number of Q1's new customer conversations opened with "we'd like to deploy this into an environment where we can't call your API." The air-gap installer turns that from a blocker into a half-day install.

How Safeguard.sh Helps

Q1 2026 took a platform that worked and made it feel finished. The signed chain from source to runtime means a deployed workload is cryptographically traceable back to the code it came from. Self-healing workflows mean low-risk findings close themselves. Taint tracking means the findings that don't close themselves are the ones that actually matter. Fleet mode and the air-gap installer mean the whole platform runs wherever your team runs — managed cloud, your own Kubernetes, or an offline environment. Q1 closes with Safeguard.sh being a platform you don't have to think about until it hands you a finding worth thinking about.

What's next

Q2 2026 is queued around:

• Griffin: taint tracking GA for Rust, beta for Ruby and PHP.
• Eagle: SLSA level 3 attestations for customer-managed builds; generator builder support.
• Lino: eBPF-based observer on OpenShift and bare metal; auto-learned allowlists for egress destinations.
• Gold: self-healing for runtime deviations where remediation is known.
• The runner: cross-cloud fleet autoscaling, Windows worker support.
• Workflows: typed outputs with schema validation on every handoff.
• Desktop: incident view that groups Griffin, Eagle, and Lino findings by blast radius.

If any of those are the one you're waiting on, email us at contact@hsxtechnologies.com.